Linux v3.13-rc3-249-g2208f65

This commit is contained in:
Josh Boyer 2013-12-12 16:31:21 -05:00
parent 211cf9eef9
commit 00361ff6dc
3 changed files with 5 additions and 157 deletions

View File

@ -95,7 +95,7 @@ Summary: The Linux kernel
# The rc snapshot level # The rc snapshot level
%define rcrev 3 %define rcrev 3
# The git snapshot level # The git snapshot level
%define gitrev 2 %define gitrev 3
# Set rpm version accordingly # Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0 %define rpmversion 3.%{upstream_sublevel}.0
%endif %endif
@ -703,9 +703,6 @@ Patch25128: dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch
#rhbz 1000439 #rhbz 1000439
Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
#CVE-2013-6382 rhbz 1033603 1034670
Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
#rhbz 1033965 #rhbz 1033965
Patch25169: 0001-Revert-selinux-consider-filesystem-subtype-in-polici.patch Patch25169: 0001-Revert-selinux-consider-filesystem-subtype-in-polici.patch
@ -1395,9 +1392,6 @@ ApplyPatch dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch
#rhbz 1000439 #rhbz 1000439
ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
#CVE-2013-6382 rhbz 1033603 1034670
ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
#rhbz 1033965 #rhbz 1033965
ApplyPatch 0001-Revert-selinux-consider-filesystem-subtype-in-polici.patch ApplyPatch 0001-Revert-selinux-consider-filesystem-subtype-in-polici.patch
@ -2230,6 +2224,9 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Thu Dec 12 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc3.git3.1
- Linux v3.13-rc3-249-g2208f65
* Thu Dec 12 2013 Josh Boyer <jwboyer@fedoraproject.org> * Thu Dec 12 2013 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2013-4587 kvm: out-of-bounds access (rhbz 1030986 1042071) - CVE-2013-4587 kvm: out-of-bounds access (rhbz 1030986 1042071)
- CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099) - CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099)

View File

@ -1,3 +1,3 @@
cc6ee608854e0da4b64f6c1ff8b6398c linux-3.12.tar.xz cc6ee608854e0da4b64f6c1ff8b6398c linux-3.12.tar.xz
be2604350d32ab4967f9773920de1ec8 patch-3.13-rc3.xz be2604350d32ab4967f9773920de1ec8 patch-3.13-rc3.xz
0bae6992c2ba067632626e45723f79a0 patch-3.13-rc3-git2.xz e730cb827aaf252cf2a016ebafe4f6ef patch-3.13-rc3-git3.xz

View File

@ -1,149 +0,0 @@
Bugzilla: 1033603
Upstream-status: Submitted but not queued http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654
Path: news.gmane.org!not-for-mail
From: Dan Carpenter <dan.carpenter@oracle.com>
Newsgroups: gmane.comp.file-systems.xfs.general
Subject: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
Date: Thu, 31 Oct 2013 21:00:10 +0300
Lines: 43
Approved: news@gmane.org
Message-ID: <20131031180010.GA24839@longonot.mountain>
References: <20131025144452.GA28451@ngolde.de>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1383242609 27303 80.91.229.3 (31 Oct 2013 18:03:29 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Thu, 31 Oct 2013 18:03:29 +0000 (UTC)
Cc: Fabian Yamaguchi <fabs@goesec.de>, security@kernel.org,
Alex Elder <elder@kernel.org>, Nico Golde <nico@ngolde.de>, xfs@oss.sgi.com
To: Ben Myers <bpm@sgi.com>
Original-X-From: xfs-bounces@oss.sgi.com Thu Oct 31 19:03:33 2013
Return-path: <xfs-bounces@oss.sgi.com>
Envelope-to: sgi-linux-xfs@gmane.org
Original-Received: from oss.sgi.com ([192.48.182.195])
by plane.gmane.org with esmtp (Exim 4.69)
(envelope-from <xfs-bounces@oss.sgi.com>)
id 1Vbwag-0001Ow-Sv
for sgi-linux-xfs@gmane.org; Thu, 31 Oct 2013 19:03:31 +0100
Original-Received: from oss.sgi.com (localhost [IPv6:::1])
by oss.sgi.com (Postfix) with ESMTP id DB14A7F85;
Thu, 31 Oct 2013 13:03:28 -0500 (CDT)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on oss.sgi.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
autolearn=ham version=3.3.1
X-Original-To: xfs@oss.sgi.com
Delivered-To: xfs@oss.sgi.com
Original-Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111])
by oss.sgi.com (Postfix) with ESMTP id A0ED87F83
for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 13:03:27 -0500 (CDT)
Original-Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11])
by relay1.corp.sgi.com (Postfix) with ESMTP id 71E0A8F804B
for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 11:03:24 -0700 (PDT)
X-ASG-Debug-ID: 1383242599-04bdf0789a41ef30001-NocioJ
Original-Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by
cuda.sgi.com with ESMTP id CWKetu2Mc6MhJZij (version=TLSv1
cipher=AES256-SHA bits=256 verify=NO);
Thu, 31 Oct 2013 11:03:20 -0700 (PDT)
X-Barracuda-Envelope-From: dan.carpenter@oracle.com
X-Barracuda-Apparent-Source-IP: 156.151.31.81
Original-Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238])
by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with
ESMTP id r9VI3AZn009606
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
Thu, 31 Oct 2013 18:03:11 GMT
Original-Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231])
by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
r9VI39qG016923
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Thu, 31 Oct 2013 18:03:10 GMT
Original-Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53])
by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
r9VI395m016915; Thu, 31 Oct 2013 18:03:09 GMT
Original-Received: from longonot.mountain (/105.160.144.228)
by default (Oracle Beehive Gateway v4.0)
with ESMTP ; Thu, 31 Oct 2013 11:03:08 -0700
X-ASG-Orig-Subj: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
Content-Disposition: inline
In-Reply-To: <20131025144452.GA28451@ngolde.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
X-Barracuda-Connect: userp1040.oracle.com[156.151.31.81]
X-Barracuda-Start-Time: 1383242600
X-Barracuda-Encrypted: AES256-SHA
X-Barracuda-URL: http://192.48.157.11:80/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at sgi.com
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No,
SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0
QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.7 tests=UNPARSEABLE_RELAY
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.141937
Rule breakdown below
pts rule name description
---- ----------------------
--------------------------------------------------
0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
X-BeenThere: xfs@oss.sgi.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: XFS Filesystem from SGI <xfs.oss.sgi.com>
List-Unsubscribe: <http://oss.sgi.com/mailman/options/xfs>,
<mailto:xfs-request@oss.sgi.com?subject=unsubscribe>
List-Archive: <http://oss.sgi.com/pipermail/xfs>
List-Post: <mailto:xfs@oss.sgi.com>
List-Help: <mailto:xfs-request@oss.sgi.com?subject=help>
List-Subscribe: <http://oss.sgi.com/mailman/listinfo/xfs>,
<mailto:xfs-request@oss.sgi.com?subject=subscribe>
Errors-To: xfs-bounces@oss.sgi.com
Original-Sender: xfs-bounces@oss.sgi.com
Xref: news.gmane.org gmane.comp.file-systems.xfs.general:57654
Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.xfs.general/57654>
If we allocate less than sizeof(struct attrlist) then we end up
corrupting memory or doing a ZERO_PTR_SIZE dereference.
This can only be triggered with CAP_SYS_ADMIN.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 4d61340..33ad9a7 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -442,7 +442,8 @@ xfs_attrlist_by_handle(
return -XFS_ERROR(EPERM);
if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
return -XFS_ERROR(EFAULT);
- if (al_hreq.buflen > XATTR_LIST_MAX)
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
+ al_hreq.buflen > XATTR_LIST_MAX)
return -XFS_ERROR(EINVAL);
/*
diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
index e8fb123..a7992f8 100644
--- a/fs/xfs/xfs_ioctl32.c
+++ b/fs/xfs/xfs_ioctl32.c
@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle(
if (copy_from_user(&al_hreq, arg,
sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
return -XFS_ERROR(EFAULT);
- if (al_hreq.buflen > XATTR_LIST_MAX)
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
+ al_hreq.buflen > XATTR_LIST_MAX)
return -XFS_ERROR(EINVAL);
/*
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs